Cardano can solve Twitter’s security problem with verified tweets
Charles Hoskinson, the founder of Cardano, said that public-key cryptography could be used to solve Twitter’s identity verification problem that led to the massive hack last week.
He explained that the concept of verified tweets would be easy to implement and wouldn’t change Twitter’s business model, and would provide its users with the ultimate control over verifying the content they post.
While any blockchain could be used for this purpose, Hoskinson said that IOHK would build this model for Twitter at cost, adding that a working demo could be available in as little as six weeks if Twitter’s Jack Dorsey was interested in it.
Applying public-key cryptography to Twitter
After suffering the biggest hack in its history last week, Twitter has been faced with a serious problem. Not only did the social media giant see its security shield penetrated, but it also saw the very foundation upon which it based its business model turned upside down.
Introducing another security layer won’t be enough to guarantee that another hack like this won’t happen when the problem lies in the way the platform deals with its verified users.
There is, however, a simple solution to this and it lies in a 50-year-old cryptography model.
Charles Hoskinson, the CEO of IOHK, addressed this issue in a recent YouTube video, saying that public-key cryptography, a concept developed back in the 1970s, would be the quickest and easiest way to solve Twitter’s authentication problem.
The outspoken CEO said that there were few basic principles to developing a solution for a system as large and complex as Twitter. First, the solution must not introduce any radical changes to the platform. Secondly, it needs to be simple and easy to understand for the end-user. It’s also necessary to build it on solid foundations that will guarantee security and longevity. Changing the business model of the company is out of the question, but making the solution cheap and easy to maintain is a must.
This isn’t unrealistic in the slightest—Hoskinson said that public-key cryptography would be able to fulfill every one of these requirements. The model is based on a very simple foundation, which includes creating a signature with the use of a private and a public key.
From a cryptographic standpoint, a signature is a process of signing a message with a special mathematical function using their private key. This creates a signed message that anyone can verify through the signer’s public key, as checking the private against the public key would show whether the authenticity of the signer is true or false.
Hoskinson said that this model can then be combined with a relatively new concept called the DID standard. Developed by the W3 consortium, Decentralized Identifiers (DIDs) are a way of handling identity online. They consist of two key parts—the DID ID, a small identifier of letters and numbers, and the DID document, which is a kind of HTML file with a structured set of information about the DID. Any type of information could be added to the DID document, which includes public and private keys.
While none of this is considered to be either new or revolutionary, the way these two concepts can be applied to Twitter makes them rather unique.
Introducing the concept of verified tweets
DIDs and public-key cryptography are a perfect way to introduce verified tweets to the platform.
Instead of relying only on the blue checkmark as proof of someone’s identity, the platform could add an extra layer of security by providing proof that a particular tweet’s been properly authenticated.
This can be done by introducing user DIDs, both as a separate step at the account creation process and by allowing existing users to import their own DIDs. All of the DIDs registered with Twitter would then go out to a whitelisted ID verifier—Hoskinson said that a verifier can be anyone from Verisign to a government entity. The third-party verifier would add their own signature to the DIDs and transfer them back to Twitter, who will do the same. From there on, users won’t be able to make any changes to the DID, as only the verifier and Twitter would have the private keys to it.
User DIDs would then be embedded in one or more blockchains. Hoskinson said that adding the same data to Cardano, Bitcoin, and Ethereum would be redundant but is something that Twitter might see an extra layer of security. Nonetheless, embedding user DIDs to a blockchain would provide them with three very important properties—timestamping, auditability, and immutability.
Hoskinson said that Atala Prism, Cardano’s own ID and credentials solution, has lots of built-in capabilities that would make this easy to integrate both for Twitter and for the third-party verifier.
When it comes to the economics of such a model, he explained that it would be easy to implement a small fee at the account creation process that would cover the cost of the verifier. Twitter too could take a share of the profit from the fees, but it wouldn’t incur any additional costs from it.
The power of Prism lies in its ability to add more capabilities in time. According to Hoskinson, Twitter could add threshold proofs that would be used to add age or geographical restrictions.
If used on mobile phones, Prism could leverage its hardware and enable uses to sign their tweets with fingerprints. A tweet that’s been signed with a user’s private key would only be cosmetically different than a regular tweet, but it would be easy to differentiate between the two, Hoskinson said.
So, what are the real-world implications of this model?
Hoskinson believes that having the assurance that a tweet has truly been written by a specific person is invaluable on a platform such as Twitter. With a single tweet having the ability to move the stock market and siphon millions of dollars in a scam, authenticity becomes the most valuable currency.
There are numerous ways this blockchain-based authenticity system can be applied. In light of the latest scam that targeted some of the most high-profile accounts on the platform, including Donald Trump, Bill Gates, and Elon Musk, Twitter could easily introduce special policies for high-value users like them. For example, this could be something like enabling high-value users such as political figures to post only verified tweets, or requiring multiple signatures for a tweet to be sent. That way, all tweets sent by a high-value user would be curated by a team of responsible people.
Aside from adding extra assurance to high-profile accounts, public-key cryptography could also bring numerous other benefits to everyday, regular users. Hoskinson said that one of the “happy coincidences” of this model is that it can enable private encrypted messaging. Two users that know each other’s DIDs can utilize the cryptographic models inside it to establish secure messaging channels.
It can also enable a more secure platform access process by introducing a challenge-response protocol for logins. With this, Hoskinson said, users can have three-factor authentication (3FA).
The reason why this presentation bears so much weight is the fact that it’s not just theoretical—Hoskinson offered to implement this to Twitter at cost. He reached out to Jack Dorsey, the CEO of Twitter, with the proposition, saying that IOHK would be able to produce a working demo of verified tweets in as little as six weeks and have the finished product ready for deployment in a few months.